In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. Upstream bug: https://bugs.php.net/bug.php?id=78599 Upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a
Created php tracking bugs for this issue: Affects: fedora-all [bug 1766379]
Notice: this issue only affects NGINX + PHP users. Affected nginx configuration can be fixed, some details in upstream (php) bug 78599 report
There's an issue when running php-fpm on nginx web server. The nginx configuration allow the user to choose which portions of the request received will be handled as the script to be run and which one will be extra data, this is done using regular expression via fastcgi_param fastcgi_split_path_info. When setting fastcgi_split_path_info with the regex '^(.+?\.php)(/.*)$;' some requests may cause out of bound write due to an underflow caused by weak path validation on init_request_info() function. An attack can leverage this bug by created specially crafted requests which will trigger the problem, as consequence, the attacker can corrupt memory information, cause php-fpm to crash and cause remote code execution. This flaw has a high impact for confidentiality, availability, and integrity.
Mitigation: 1) Check your nginx configuration files, specially the ones related to php-fpm for presence of pattern bellow on fastcgi_split_path_info regex and PATH_INFO parameter: ~~~ fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; ~~~ 2) If fastcgi_split_path_info regex matches with the one above, for each fastcgi_param PATH_INFO entry perform the following change: ~~~ fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; ~~~ This step will allow you to safely continue using PATH_INFO parameter while the patch is not applied. 3) Restart your nginx instance: ~~~ systemctl restart nginx ~~~
External References: https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:3287 https://access.redhat.com/errata/RHSA-2019:3287
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3286 https://access.redhat.com/errata/RHSA-2019:3286
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11043
There are some preconditions that should be met in order to the attack works: 1) The script should be forwarded to php-fpm, so the requested location should match for the location's regex on nginx configuration file; 2) fastcgi_split_path_info directive's regular expression should start with '^' and end with '$'; 3) The PATH_INFO variable should be assigned at some point looking like: fastcgim_param PATH_INFO $fastcgi_path_info; and SCRIPT_FILENAME variable should be set at some point in all configuration files for the given location as shown bellow: fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 4) The files existence are not checked on configuration files (directives like try_files or if(-f $uri) are not used);
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3299
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:3300 https://access.redhat.com/errata/RHSA-2019:3300
Statement: This issue only affects instances running php-fpm under nginx server software as environment paths and parameters are handled by different code pieces depending on the server php-fpm is running under. The code where this issue is found is used exclusively when php-fpm detects the request came through an nginx server. Red Hat Product Security team rated this issue as having a Critical security impact as an attacker may take advantage from the existing bug to cause Remote Code Execution on network exposed software.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:3724 https://access.redhat.com/errata/RHSA-2019:3724
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3735 https://access.redhat.com/errata/RHSA-2019:3735
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3736 https://access.redhat.com/errata/RHSA-2019:3736
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0322 https://access.redhat.com/errata/RHSA-2020:0322
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2835 https://access.redhat.com/errata/RHSA-2020:2835